Skip to content

Overview

Overview

Kyverno is a policy engine designed specifically for Kubernetes. Kyverno allows platform teams to manage environment specific configurations independently of workload configurations and enforce configuration best practices for their clusters. Kyverno can be used to scan existing workloads for best practices, or can be used to enforce best practices by blocking or mutating API requests.

Kyverno runs as a dynamic admission controller in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the kube-apiserver and applies matching policies to return results that enforce admission policies or reject requests. Kyverno policies can match resources using the resource kind, name, and label selectors.

What Will You Do

In this exercise,

  • You will create a cluster blueprint with a "kyverno" add-on
  • You will then apply this cluster blueprint to a managed cluster

Important

This tutorial describes the steps to create and use a Kyverno based blueprint using the Web Console. The entire workflow can also be fully automated and embedded into an automation pipeline

Assumptions

  • You have already provisioned or imported a Kubernetes cluster using the controller

Step 1: Create Kyverno add-on using System Catalog

  • Login into the Web Console and navigate to your Project as an Org Admin or Infrastructure Admin

  • Under Infrastructure, select "Namespaces" and create a new namespace called "kyverno"

  • Under Infrastructure, select "Add-ons"

  • Click New Add-on and select the Create New Add-on from Catalog option
  • Search for kyverno in the Catalog
  • Select kyverno and create a new addon called "kyverno"
  • Select the namespace as "kyverno"
  • Click CREATE to go to next step
  • Select "New Version" and give it a name called "v2.6.1"
  • Click "SAVE CHANGES"

Create Kyverno addon

Step 2: Create Blueprint

Now, we are ready to assemble a custom cluster blueprint.

  • Under Infrastructure, select "Blueprints"
  • Create a new blueprint and provide a name/version
  • Under Add-Ons, select "ADD MORE" and choose the "kyverno" add-on created as part of Step 1
  • Click "SAVE CHANGES"

Create Custom Blueprint

Step 3: Apply Blueprint

Now, we are ready to apply this blueprint to a cluster.

  • Click on Options for the target Cluster in the Web Console
  • Select "Update Blueprint" and select the blueprint and the version from the dropdown
  • Click on "Save and Publish".

This will start the deployment of the add-on configured in the blueprint to the targeted cluster. The blueprint sync process can take a few minutes. Once complete, the cluster will display the current cluster blueprint details and whether the sync was successful or not.

Create Custom Blueprint

Step 4: Verify Deployment

Users can optionally verify whether the correct resources have been created on the cluster.

  • Click on the Kubectl button on the cluster to open a virtual terminal

First, we will verify if the kyverno namespace has been created

kubectl get ns kyverno

Next, we will verify if the pods are healthy in the "kyverno" namespace

kubectl get po -n kyverno

Recap

Congratulations! You have successfully created a custom cluster blueprint with the "kyverno" add-on and applied to a cluster.